Everything in our home is connected to theInternet these days. Our thermostats and surveillance cameras are going to thecloud. Our refrigerators and TVs are online. Even the rice cooker can be connected to the Internet.Outside the home, we have the likes of Smart Rifles, and even though it is notclear if they can be connected to the Internet or not, they do supportdevice-to-device Wi-Fi connections. We and our machines are increasinglyconnected, in ways we don’t necessarily expect or consider.
现在家里的所有东西都连上网了。恒温器和监控摄像头都在云上,冰箱和电视都在线上,甚至电饭煲也能连上互联网。家庭之外,我们拥有智能步枪这样的东西,即使不清楚它是否能够连接互联网,但它们确实支持设备与设备间的wifi连接。我们与我们的机器以我们没必要期盼和考虑的方式越来越多的进行了连接。
Let’s talk about my TV. When I bought a TVa few years ago, it was just a TV. Maybe it had a larger screen than the one Ihad before and it might have better screen resolution and refresh rates. Butwhen I bought our new TV last year, it had something else aswell. I didn’t notice it for a while, but it came embedded with a smallcomputer. The presence of the computer isn’t obvious and I might have nevereven noticed it.
先来讨论一下我的电视。当我几年前购买电视的时候,它仅仅是一台电视。可能它比我以前买的更加大屏,拥有更好的屏幕分辨率和刷新率。但是当我去年买了一个新电视后,我发现它拥有了一些别的东西——嵌入了一台小的计算机。这台计算机的存在并不明显,所以我从来没有注意到它。
Others have noticed these computersthough. In fact, there have been various discussions in the industryrecently on the security of Smart TVs. Last year two researchers at Black HatBriefings security conference, Aaron Grattafiori and Josh Yavor, discussed remote hacking exploits they hadfound. Basically they found a cross-site scripting vulnerabilities in SamsungSmart TV apps (the apps are usually written in JavaScript). Using cross-sitescripting, they acquired local user privileges. They also used a localprivilege escalation issue to get system privileges. The problem here is thatthe default user ID that runs the whole TV application has root privileges.Just getting out of the sandbox is enough to gain total control of the system.
关于智能电视的安全在行业中以及有了各种讨论。2013年在黑帽大会上有两位研究者Aaron Grattafiori 和Josh Yavor讨论了他们发现的远程攻击exploit。首先他们在三星智能电视APP上发现了xss漏洞。通过xss,他们获取了本地用户权限,然后通过提权获取到系统权限。问题就出在运行整个电视应用的默认用户id拥有root权限,只需要跳出沙盒就拥有对整个系统的完全控制权。
I was inspired by this talk and starteddigging into one of my TVs at home. I was really curious about what was insidethe TV.
受到这个议题的启发我开始捣腾起我家的智能电视。我很好奇这电视里头到底有什么。
Rooting my TV
Gathering the required informationwas not difficult as my TV is a popular model.
由于我的电视是流行品牌,所以收集它的信息并不是难事。
The Samygo forum had some useful information in thisarea, especially on Samsung.
Samygo论坛有很多关于这个领域的有用的信息,特别是关于三星的。
The principle is simple. You use thedeveloper account to install private applications on your machine. Developeraccount information can be found here and there.
原理很简单,你使用开发者账号在自己的机器上安装私有应用,开发者账号信息到处都可以找到。
Oryou can choose to unlock the TV using a local exploit. Some applications have alocal vulnerability that allows unauthorized applications to get permanentaccess to the system level. We’ll call this an “exploit” as it is using a glitchwith specific applications installed on the TV by default. Of course, you can’tuse it to remotely hack into the system, but if the attacker can access the TVphysically, it would be possible to install backdoors using similar methods.
或者你可以选择使用本地exploit锁定TV。一些应用存在本地漏洞允许未授权应用获取系统级别的持久访问。利用在TV上默认安装的应用程序的漏洞我们称之为“ecploit”。当然,你是不能用它来远程入侵入系统的,但是如果攻击者可以物理访问TV,则他们可以用同样的方法安装后门。
Figure 1 Samygo TV discussions on getting root access toTVs
After following the instructions, I was able to root my own TV. It justtook a USB stick and a few minutes of my time to see a root shell on my ownsystem. I bought the TV six months ago and never knew that I had an extracomputer in my house. The operating system looked like Linux and I confirmedthis by initiating the “uname” command and checking the result.
按照教程,我可以root我的TV了。仅需使用U盘花费几分钟时间就可以获取root权限了。我购买这个TV6个月了但是我却并不知道这意味着我在家里又拥有了一台额外的电脑。这个操作系统看起来像linux,我通过uname命令进行了确认。
Figure 2 Rootshell on my TV
Console access
Additionally, I could have console access to the system by utilizing thesystem’s Ex-Link port -- the benefit with console access is that you can accessan enormous amount of debug logs. You can also upload your firmware image. Thephysical appearance of the Ex-Link port appears to differ depending on yourspecific model, but basically it is a serial communication port. For my TV, itwas in the form of a 3.5mm audio jack.
除此之外,通过利用系统的Ex-Link端口可以获取控制台访问权限——通过控制台访问的好处就是可以获取到大量调试日志,还可以上传固件镜像。电视型号不同,Ex-Link端口的外形是不同的,但基本都是一个串行通信端口,比如我的TV就是3.5mm耳机插孔。
Figure 3 EX-LINK Port
I modified aDB9 serial cable I had around to connect with the audio jack. It took 10minutes to come up with a homemade Ex-Link cable. The cost of the cable wasunder $5. When in serial communication with the TV I could see various debuggingmessages. Most of the information is meant for software debugging and containedcomponent and method names along with other details. This information itselfcould be a really useful resource for hacking the TV.
我自制了一个DB9串行线以便连接耳机插孔。花费了大约10分钟制作Ex-Link线。花的钱不到5美元。与TV进行了一系列通信后可以看到各种调试信息。包括软件调试,包含组件以及函数名称,还有其它信息。这些信息本身都是攻击TV的真实有用信息。
Figure 4 Console Access to my TV
What we foundin a few days
I’dgained access to a root shell and console output, so now what could I do? Maybebug hunting would be fun. I downloaded the binaries from the system and lookedaround with IDA. Most of the binaries were ARM native code and some of theJavaScript was obfuscated. Using the netstat command showed a lot of servicesusing TCP and UDP protocols. There were also web services, UPnP services andservices using non-conventional ports. Some services were using open-sourcecode, but some were using proprietary code, (which means they might not be ashardened as their open-source counterparts -- open-source code often getshardened as it gets audited repeatedly by multiple users over the course oftime that the code has been publically available).
获取到root权限后我该做什么呢?我从系统下载了很多二进制文件,使用ida查看。很多的二进制文件是ARM native代码,还有一些是混淆的js脚本。使用netstat命令查看到大量的使用TCP/UDP协议的服务。这其中包括web服务、UPnP服务和非常用端口。有些服务使用的是开源代码,但是有些使用的是非公开代码(这意味着他们可能不是一样的开源同行——开源的代码通常是很健壮的,因为随着时间的推移它被多个用户反复审计,代码已经公开可用的)。
After fiddlingaround in the system for a few days, I found that a service related to UPnP hadissues with remote authentication. UPnP is a technology used for peer-to-peernetwork connectivity between PCs and other appliances (as defined here). It provides easy discovery of machines on a network and an additionalmeans of control. The issue could allow possible control of the TV systemitself by allowing remote users unauthorized access to an input device. Wereported the issue to Samsung security and it is currently under investigation.They responded promptly -- the issue could be exploited by remote attackers tocontrol the TV and its network traffic.
几天之后,我发现一个UPnP相关的服务的远程身份验证存在问题。UPnP(通用即插即用) 是一种用于 PC 机和智能设备(或仪器)的常见对等网络连接的体系结构,包含UPnP技术的网络产品只需实际连到网络上,即可开始正常工作。UPnP的这个问题可能允许远程用户对输入设备进行未授权访问从而可能控制整个TV系统。我们把这个问题报告给了三星,他们很快做出了答复——这个问题可以被远程攻击者利用来控制TV以及他的网络流量。
Just a few daysof work revealed a useful vulnerability, and even though it doesn’t execute ashell command on the remote system, it could give some control to an attacker.If an attacker could control network traffic, they could redirect any trafficfrom the TV to a location of the attacker’s choice. This could significantlyaffect the fundamentals of the network’s security and eventually be used foridentity theft by capturing credentials from fake web sites.
仅仅几天的研究就发现了一个有用的漏洞,即使并不能远程执行shell命令,但是可以让攻击者控制一些东西。如果攻击者可以控制网络流量,则他们可以将来自TV的任意流量重定向到他们想要的地方。这会严重影响网络安全基石,甚至可能被用于通过钓鱼网站窃取用户身份凭证。
My worries
Now I’mreally worried about the future. These TVs are just sitting in my bedrooms andliving room, and they can be hacked. Back when the TV was not so “Smart”, Idon’t remember any reports that they could be hacked in any way to monitorpeople. Now, the TV is “infectable” and could be a threat if that occurred. Atlast year’s Black Hat Briefings, SeungJin Lee presented various techniques that could hypothetically be usedto rootkit your TV. He used open-source code called adbi to plant malicious code inside a vendor’s application. You canachieve various things with this rootkit technique and you can reuse ready-madetoolsets. Aaron Grattafiori and Josh Yavor also usedthe application layer to monitor users through a webcam as the payload fortheir POC system compromise.
我很担忧。TV放置在我的卧室或者客厅,它们可能被入侵。以前TV还不是这么智能的时候,我没有见到任何关于电视被黑客入侵用来监控人们的事件。但是现在,TV是“可传染的”,如果这样的事件发生后则是一个安全威胁。黑帽大会上SeungJin Lee提出了各种用来rootkit你的TV的技术假设。他使用了一个叫adbi的开源代码将恶意代码植入了一个厂商的应用。使用这个rootkit技术你可以做各种事情,你也可以使用现成的工具箱。Aaron Grattafiori 和Josh Yavor 则讨论了如何绕过各种安全防御,使用网络摄像头来监控用户
People areincreasingly dependent on their gadgets. Our life is inside these gadgets -- ifthe gadgets get hacked, our life is hacked. You might use your TV to Skype yourfriends and family, or you might use it for business communications. If your TVis hacked there is a high chance that those communications could be monitored(or even possibly altered). You might save all your personal pictures andvideos on your TV for convenient viewing. They are in danger if your TV ishacked. So, there is the potential for similar patterns of compromise to thosewe’ve seen on PCs (and are seeing on mobile devices) to repeat in the contextof home appliances -- including Smart TVs.
人们越来越依赖于他们的产品。我们的生活就在这些产品中——如果这些产品被入侵了,我们的生活就被入侵了。你可以使用你的TV与你的朋友和家庭进行语音电话,也可以使用它来进行商业交流。如果你的TV被黑了,那么你们直接的交流很大可能就被监控了。你可能在你的电视上保存了所有你的个人图片和视频以便于浏览,但是如果电视被入侵了,则这些东西就危险了。所以, PC(以及移动设备)上遭遇的安全威胁,在家庭应用上也会发生——包括智能电视。
Return-On-Investments(The ROI)
I wonderhow many people actually use the Smart features of their Smart TVs? Some remoteexploits only work when you actually utilize a specific application or feature.The potential ROI of an exploit is dependent on the popularity of that specificapplication or feature. Personally, even when the same apps are available onmultiple devices, I tend to use my mobile phone or PC rather than the TV. Theusability of these apps tends to decline significantly when you’re forced tointerface with them using a remote control. You generally don’t see malware inthe wild that infects users through applications that no one uses. The Smart TVapplication model started relatively recently. I couldn’t find any goodstatistics on how Smart TV users are using their apps, but then it might be tooearly in the game for actual attacks to appear. Put simply, the ROI on Smart TVmalware is kind of low compared to that on other platforms for malware authors.But, who knows? If popular apps appear and they have vulnerabilities, then whathappened in PC security history could repeat in this space.
我想知道有多少人真正的使用了智能电视的智能特性?一些远程exploit仅仅在当你使用了某个特定的应用或者功能特性的时候才会起作用。在这种情况下,一个exploit可能得到的回报就依赖于这个特定应用或者功能特性的流行度(使用率)。就我而言,即使同一个APP可以跨越多个平台使用,相对于智能电视,我更倾向于使用手机或者PC。当你必须使用远程控制功能来与这些应用交互时,这些应用的使用率就会显著下降。我没能找到任何好的关于智能电视用户如何使用他们的APP的统计数据,对攻击者的出现有些为时过早。简而言之,智能电视恶意软件作者得到的回报与其它平台恶意软件作者得到的回报相比太低了。但是,谁知道呢?如果流行的APP出现了且存在漏洞,那么在PC安全史上发生的也会在这个领域再度发生。
More worriesand a conclusion
Even ifwe think that malware that abuses Smart TVs and Smart home appliances are notcoming any time soon, there is still a problem. While the projected ROIprevents attackers from developing malware for Smart home devices, the samething happens with the security industry. When there are no actual attacks, nosecurity measures are developed to defend against them. Security in general isreactive in many cases. When malware appears, AV vendors release new signaturesthat capture the new “variant”. Tomorrow the malware authors will tweak theirobfuscation routines and release another variant which is 99% the same as theprevious one, but repacked with different vectors. The same model applies tovulnerability research -- when vulnerabilities are reported, vendors fix them.
就算我们认为智能电视和智能家庭应用恶意病毒泛滥的时代不会到来,这里仍然存在一个问题。由于得到的回报少导致攻击者不愿开发智能电视平台的恶意软件,同样的事情也会发生在安全界。当没有真实的攻击发生的时候,就不会有安全措施来防御攻击。在很多情况下安全都是被动防御。当恶意软件出现后,反病毒厂商会更新病毒库以捕捉新的变种。然后恶意软件作者就会修改代码发布另一个变种,虽然有99%的代码与之前相同,但是特征变了。同一模式也适应于漏洞研究——漏洞被报导后,厂商就将其修复。
But, the PC andmobile industries have learned a lot from their past experience and they aredoing more proactive research. They perform code audits and run bug bountyprograms to urge external security researchers to submit their findings. Theyrun fuzzers on their own products to find the vulnerabilities before the badguys do (such as this fuzzer from Microsoft). They add additional security measures to theirproducts. Many things still break, but they also make significant improvementsthrough these processes. The problem with Smart home devices is that while theymay not have suffered as much as other systems that’s no reason for the Smartappliance vendors to be lax about security.
但是,PC和手机行业已经吸取了过去的很多经验教训,正在进行更多的前瞻性研究。他们进行代码审计,同时执行漏洞奖励计划鼓励安全研究者提交漏洞。他们对自己的产品进行fuzz测试以便先于恶意攻击者发现漏洞,同时在产品中增加了很多安全策略。虽然很多地方仍然很脆弱,但是通过这些措施得到了明显的改善。现在的问题是智能家居设备即使并没有像其他系统那样遭受各种攻击,也没有理由让智能家居厂商放松对安全的重视。
The other issuewith Smart home appliances is that there are few tools you can use to check ifyour system has been hacked. How would you know if your Smart appliances werehacked, and even if you did, how would you disinfect them? There is no good,officially published, publically available knowledgebase for these systems.Generally the only information you can find is compiled by well-meaningindividual enthusiasts who have reverse-engineered them. And vendors appear tobe approaching the issue using more of a black box model (security by obscurity)rather than by publically exposing useful details on the systems themselves.
智能家具应用的另外一个问题是,在智能电视平台上有很少的工具可以用来检测你的系统是否被攻击。你如何知道你的智能应用被黑了?即使你知道了,你如何处理?没有好的,官方发布的,公开可用的方法。通常你可以找到的仅有的信息都是好心的个人爱好者通过逆向后获取的。比起公开自己系统的很多有用的详细信息来说,厂商更加倾向于使用黑盒测试。
There are many issues you could debate on Smart appliance security, butone thing is clear. The Smart home device is not necessarily the fortifiedcastle it might appear. If you want to reveal the insides of these devices,there are ways to do it. If you want to find vulnerabilities, it is notextremely difficult. You can apply the same approach to this area as you wouldwith PC or mobile software security. Smart appliances often run the same orsimilar operating systems (OSes) and applications as PCs and mobile devices.Now might be the time for vendors of Smart devices to be “Smart” about securitytoo (before the attackers wise up).
如果你想挖掘漏洞,并不是很难。你可以采用跟PC或者手机软件安全同样的手段挖掘漏洞,因为智能家居常常运行跟PC或者移动设备相同或者类似的系统和应用。现在可能是智能家居厂商“智能”应对安全的时候了(在攻击之前是明智的)。
本文英文原文:
本文翻译作者:whitecell-club.org bamb00
文章欢迎转载,但请务必保留作者与出处!
团队泛安全交流论坛邀请您一起加入:
bbs.whitecell-club.org
长按识别下图二维码,关注全宇宙最科普的安全公众号:
本文始发于微信公众号(WhiteCellClub):看我如何黑掉自己家的智能电视(双語版)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论